With the widespread use of the Internet, attempts to defraud people have also increased. Thus it is vital to develop strong authentication techniques. Two prevalent fraud attempts are phishing and man-in-the-middle (MITM) attacks. Phishing involves the non-real-time collection of usernames and passwords and other sensitive data. These data could later be used by the attacker to defraud users. MITM can be described as phishing plus real-time proxying. Several solutions are available for phishing and MITM attacks.
Potter et al. (E. R. Potter and P. M. Skirvin, “Validated Mutual Authentication”, U.S. Pat. No. 7,266,693, Sep. 4, 2007) teach authentication using fractal images. The user, while registering chooses a fractal image from out of a number of images. Subsequently, during each transaction the user wants to perform, (s)he will be provided with a list of images from which the user is required to choose the right one.
Lev (Z. H. Lev, “System and Method of Generic Symbol Recognition and User Authentication Using a Communication Device with Imaging Capabilities”, U.S. Pat. No. 7,263,205, Aug. 28, 2007) presents a method for a user with an imaging device to send digital information appearing on a screen or in print to a remote server. The digital image that has authentication data will then be processed by image processing software to validate the user.
Steeves et al. (D. J. Steeves and M. W. Snyder, “Secure Online Transactions Using a Captcha Image as a Watermark”, U.S. Pat. No. 7,200,576, Apr. 3, 2007) teach supplying a user with a device that is capable of generating identifiers from a user-specific key. When the user wants to conduct a transaction, (s)he contacts the transaction provider. The transaction provider determines an identifier that should be currently generated by the user's device. It creates a captcha image of the identifier and watermarks a transaction verification page with this captcha image. The user is then sent this page and asked to provide the next identifier her/his device generates. If the user is successful in sending the correct identifier, the transaction is verified. Otherwise the transaction is rejected.
Gasparini et al. (L. A. Gasparini and C. E. Gotlieb, “Method and Apparatus for Authentication of Users and Websites”, U.S. Pat. No. 7,100,049, Aug. 29, 2006) propose a method of mutual authentication. For example, when a user requests a page from a website, customization information that can be recognized by the user is sent to the user. The user then checks if the page is the right one. Also, the website examines a signed and encrypted cookie stored on the user's system to validate the user.
The aforementioned techniques are fairly involved and are quite expensive to implement. They all have weaknesses, and the user remains vulnerable to social engineering attacks. There is, therefore, a need for more robust solutions for phishing and MITM attacks with respect to ease of implementation, cost of implementation, level of security, and/or the like.